Morgan Stanley Smith Barney (MSSB) has earned itself a huge fine from the U.S. government after failing to protect the personally identifiable information (PII) of millions of customers. In a notice posted Monday, the SEC announced that the company consented to the agency’s finding that it violated federal regulations regarding the safeguarding and disposal of customer data. In response, MSSB has agreed to pay a penalty of $35 million.
Why was Morgan Stanley Smith Barney fined?
The finding stems from actions dating back as far as 2015 in which MSSB neglected to correctly dispose of hardware containing the PII of its customers. Tasked with decommissioning thousands of hard drives and servers with customer data on several occasions, the company hired a moving and storage firm with no experience in data destruction and failed to monitor the firm’s work, according to the SEC.
The agency’s investigation found that the moving firm sold thousands of the servers and hard drives, some with customer PII, to a third party. Those devices ultimately were resold on an internet auction site, still with the customer data on them. MSSB recovered some of the devices, but most are still missing, including 42 servers. The recovered devices were found with unencrypted customer information. Even though the company had equipped them with an encryption option, it neglected to activate that feature.
“MSSB’s failures in this case are astonishing,” said Gurbir Grewal, director of the SEC’s Enforcement Division. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
SEE: Mobile device security policy (TechRepublic Premium)
What was MMSB’s response?
On its end, MSSB complied with the SEC’s order and agreed to pay the fine without admitting or denying the actual findings. In a statement sent to TechRepublic, an MSSB spokesperson said: “We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”
But MSSB clearly made several mistakes in this chain of events. The company failed to properly vet the moving and storage firm. It failed to monitor the work of that firm. And it failed to implement the proper encryption even though the option was available.
“The case of MSSB is unique since they gave hard drives and servers to a third party while storing PII in plaintext,” said Gil Dabah, co-founder and CEO of security firm Piiano. “Usually, attackers must gain credentials using social hacking or utilizing known vulnerabilities. A few lines of defense are needed (like access control, tokenization, masking, etc.) to prevent unauthorized access to PII. Here, simple encryption would have solved the problem.”
The fine combined with MSSB’s failures to protect personal data should serve as a wake-up call to other organizations that collect and store sensitive customer information.
“The size of the fine speaks to the visibility that data security should have within an organization,” said Mike Puterbaugh, CMO at security firm Pathlock. “Suffice to say this should be seen as a board-level accountability topic. This news should create a call to action to review data security capabilities (tools, processes, etc.) and ensure that internal audits encompass the testing and proving of data security controls.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Advice for organizations
How can organizations make sure they’re properly securing customer data and avoid regulatory or legal problems?
“Organizations should start with the most attractive target for data thef—the business applications that every company relies upon,” Puterbaugh said, citing ERP, HR, and supply chain apps as specific examples.
Proper data security requires that organizations have the necessary tools for testing their controls, according to Puterbaugh. This includes role-based access controls that determine who can perform what tasks and policy-based access controls designed to dynamically protect data.
“What’s important for company boards and leadership to understand is that data security requires the business (the lines of business that rely on the business applications that store sensitive data) and IT (responsible for protecting and securing broader systems) to work together to create effective policies for securing sensitive data,” Puterbaugh added.
If your organization needs a policy for properly disposing sensitive electronic data, TechRepublic Premium has one to get you started. Click here to download it now and subscribe to gain access to more useful resources.